Tag Avast

InfoSec Week 22, 2018

Google Pixel 2 devices implement insider attack resistance in the tamper-resistant hardware security module that guards the encryption keys for user data.
It is not possible to upgrade the firmware that checks the user's password unless you present the correct user password.
https://android-developers.googleblog.com/2018/05/insider-attack-resistance.html

Avast Threat Labs analyzed malware pre-installed on a thousands of Android devices. More than 18000 users of Avast already had this adware in a device. Cheap smartphones are primarily affected.
https://blog.avast.com/android-devices-ship-with-pre-installed-malware

Great blog post about the USB reverse engineering tools and practices by the Glenn 'devalias' Grant.
http://devalias.net/devalias/2018/05/13/usb-reverse-engineering-down-the-rabbit-hole/

FBI advice router users to reboot devices in order to remove VPNFilter malware infecting 500k devices.
https://arstechnica.com/information-technology/2018/05/fbi-tells-router-users-to-reboot-now-to-kill-malware-infecting-500k-devices/

If you didn't hear about the recent arbitrary code execution vulnerability in git software (CVE 2018-11234, CVE 2018-11235), there is a high level summary on the Microsoft DevOps blog.
https://blogs.msdn.microsoft.com/devops/2018/05/29/announcing-the-may-2018-git-security-vulnerability/

The white hat hacker received $25000 bug bounty for getting root access on all Shopify instances by leveraging Server Side Request Forgery (SSRF) attack.
https://hackerone.com/reports/341876

Attacking browsers by site-channel attacks using CSS3 features. The guys demonstrated how to deanonymize website visitors and more.
https://www.evonide.com/side-channel-attacking-browsers-through-css3-features/

The Underhanded Crypto Contest for 2018 started, the topic has two categories: Backdooring messaging systems & Deceptive APIs. If you want to write some backdoor to the cryptographic implementation bud you do not harm anybody, this is a good opportunity.
https://underhandedcrypto.com/2018/05/27/rules-for-the-2018-underhanded-crypto-contest/

Article about the new threat model and potential mitigations for the Chrome browser against the Spectre like vulnerabilities.
https://chromium.googlesource.com/chromium/src/+/master/docs/security/side-channel-threat-model.md

New article by the Intercept about the Google military drone AI contract. They want to make fortune on an image recognition.
https://theintercept.com/2018/05/31/google-leaked-emails-drone-ai-pentagon-lucrative/

Codechain - secure multiparty code reviews with signatures and hash chains.
According to the author, Codechain is not about making sure the code you execute is right, but making sure you execute the right code.
https://github.com/frankbraun/codechain

InfoSec Week 16, 2018

Google disables domain fronting capability in their App Engine, which was used to evade censorship. What a fortunate timing.
https://arstechnica.com/information-technology/2018/04/google-disables-domain-fronting-capability-used-to-evade-censors/

Bloomberg published article on how Palantir is using the War on Terror tools to track American citizens.
https://www.bloomberg.com/features/2018-palantir-peter-thiel/

Third-party javascript trackers are actively exfiltrating personal identifiers from websites which uses "login with Facebook" button and other such social login APIs.
https://freedom-to-tinker.com/2018/04/18/no-boundaries-for-facebook-data-third-party-trackers-abuse-facebook-login/

The U.S. and the UK blame Russia for a campaign of hacks into routers, switches and other connected infrastructure.
https://www.forbes.com/sites/thomasbrewster/2018/04/16/russia-accused-of-hacking-network-infrastructure/

One of the people charged for the Reveton ransomware trojan was actually working as a Microsoft network engineer.
https://www.bleepingcomputer.com/news/security/microsoft-engineer-charged-in-reveton-ransomware-case/

Intel processors now allow antivirus (mostly Microsoft right now) to Use built-in GPUs for in-memory malware scanning.
https://arstechnica.com/gadgets/2018/04/intel-microsoft-to-use-gpu-to-scan-memory-for-malware/

Avast shared CCleaner breach timeline. They were infiltrated via TeamViewer. More than 2.3 million users, 40 companies infected.
https://blog.avast.com/update-ccleaner-attackers-entered-via-teamviewer

Nice blog post about the quantum resistant hash-based signature schemes. No public key cryptography.
https://blog.cryptographyengineering.com/2018/04/07/hash-based-signatures-an-illustrated-primer/

New Android P enables users to change default DNS server, it will also support DNS over TLS.
https://www.androidpolice.com/2018/04/14/google-explains-new-private-dns-setting-android-p/

There is a new web standard for authentication, designed to replace password login method with the public key cryptography and biometrics.
https://www.w3.org/TR/2018/CR-webauthn-20180320/

OpenSSL is vulnerable to a cache timing vulnerability in RSA Key Generation (CVE-2018-0737).
Could be theoretically exploited by some hypervisor, but they have decided not to release emergency fix.
https://mta.openssl.org/pipermail/openssl-announce/2018-April/000122.html

The Endgame has released Ember (Endgame Malware BEnchmark for Research), an open source collection of 1.1 million portable executable file metadata & derived features from the PE files, hashes and a benchmark model trained on those features.
https://github.com/endgameinc/ember

InfoSec Week 49, 2017

The "Janus" Android vulnerability (CVE-2017-13156) allows attackers to modify the code in applications without affecting their signatures. The root of the problem is that a file can be a valid APK file and a valid DEX file at the same time. The vulnerability allows attackers to inject malware into legitimate application and avoiding detection.
https://www.guardsquare.com/en/blog/new-android-vulnerability-allows-attackers-modify-apps-without-affecting-their-signatures

According to the research by Hanno Böck, Juraj Somorovsky and Craig Young, the Bleichenbacher’s attack on RSA PKCS#1v1.5 encryption still works on almost 3% of the Alexa top million most visited websites. The researchers were even able to sign a message using Facebook’s private TLS key. Vendors like Citrix, F5, Cisco, and multiple SSL implementations are affected.
https://robotattack.org/

HP had a keylogger in the Touchpad driver, which was disabled by default, but could be enabled by setting a registry value.
https://zwclose.github.io/HP-keylogger/

There is a remote root code execution flaw (CVE-2017-15944) in the Palo Alto Networks firewalls.
http://seclists.org/fulldisclosure/2017/Dec/38

Researchers from the Group-IB spotted the operations of a Russian-speaking MoneyTaker group that stole as much as $10 million from US and Russian banks.
https://securityaffairs.co/wordpress/66591/cyber-crime/moneytaker-group.html

Recorded Future analyzed costs of various cybercriminal services sold on the dark market.
https://www.recordedfuture.com/cyber-operations-cost/

Internet traffic for organizations such as Google, Apple, Facebook, Microsoft, Twitch were briefly rerouted to Russia.
https://bgpmon.net/popular-destinations-rerouted-to-russia/

Microsoft started rolling out an update for Malware Protection Engine to fix a remotely exploitable bug discovered by the British intelligence agency.
https://www.bleepingcomputer.com/news/security/microsoft-fixes-malware-protection-engine-bug-discovered-by-british-intelligence/

Avast open-sources RetDec machine-code decompiler for platform-independent analysis of executable files. It's based on LLVM.
https://blog.avast.com/avast-open-sources-its-machine-code-decompiler

Wireless network sniffer Kismet now supports the DJI DroneID UAV telemetry extensions.
http://blog.kismetwireless.net/2017/11/dji-uav-drone-id.html

Wazuh - Wazuh helps you to gain deeper security visibility into your infrastructure by monitoring hosts at an operating system and application level.
It supports log management and analysis, integrity monitoring, anomaly detection and compliance monitoring.
https://github.com/wazuh/wazuh

Wifiphisher is an automated victim-customized phishing attacks against Wi-Fi clients.
https://github.com/wifiphisher/wifiphisher

InfoSec Week 37, 2017

SfyLabs' researchers discovered a new Android banking Trojan named Red Alert 2.0, that is being offered for rent on many dark websites. It uses Twitter as a fall back mechanism for communication.
https://clientsidedetection.com/new_android_trojan_targeting_over_60_banks_and_social_apps.html

Windows cleanup utility CCleaner distributed by antivirus vendor Avast contained a multi-stage Floxif malware.
http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html https://www.bleepingcomputer.com/news/security/avast-clarifies-details-surrounding-ccleaner-malware-incident/

According to Slovak CSIRT, multiple Python packages in the PyPI Python repository was hit by typosquatting attack.
http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/

Medfusion 4000 Wireless Syringe Infusion Pumps used in acute critical care settings could be remotely controlled, patients killed.
https://ics-cert.us-cert.gov/advisories/ICSMA-17-250-02

Kaspersky researchers discovered a new attack technique leveraging an undocumented Microsoft Word feature that loads PHP scripts hosted on third-party web servers.
https://securelist.com/an-undocumented-word-feature-abused-by-attackers/81899/

DigitalOcean warned that some pre-built and pre-configured application (One-Click) offered by the cloud platform are using default admin passwords.
http://www.securityweek.com/digitalocean-warns-vulnerability-affecting-cloud-users

A use after free error in Apache HTTP can leak pieces of arbitrary memory from the server. It's tracked as an CVE-2017-9798 "Optionsbleed" vulnerability.
https://nvd.nist.gov/vuln/detail/CVE-2017-9798 https://github.com/hannob/optionsbleed

Mr. SIP is a tool developed to audit and simulate SIP-based attacks.
https://github.com/meliht/mr.sip

InfoSec Week 26, 2017

The ExPetr/Petya ransomware which hits the Ukraine last week is actually a disk wiper. Victims are not able to decrypt their data, as the encryption key is not stored anywhere.
https://securelist.com/schroedingers-petya/78870/

Blog with details about the remotely triggerable stack-based buffer overflow found in Avast Antivirus software last year.
https://landave.io/2017/06/avast-antivirus-remote-stack-buffer-overflow-with-magic-numbers/

Linux Systemd gives root privileges to usernames started with number.
https://ma.ttias.be/giving-perspective-systemds-usernames-start-digit-get-root-privileges-bug/

WikiLeaks published a manual describing "OutlawCountry" Linux malware which redirects outgoing Internet traffic using netfilter, iptables. The second published is ELSA, a geo-location malware for WiFi-enabled devices running the Microsoft Windows operating system.
https://wikileaks.org/vault7/releases/#OutlawCountry
https://wikileaks.org/vault7/#Elsa

Security researcher Benjamin Kunz-Mejri discovered a Skype (7.2, 7.35, and 7.36) zero-day remote buffer overflow vulnerability CVE-2017-9948.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9948

Great blog post about the problems of a certificate revocation, alternative solutions and how to do it better.
https://scotthelme.co.uk/revocation-is-broken/

Blog about the novel reflective DLL injection technique called ThreadContinue which uses SetThreadContext() and NtContinue() API calls.
https://zerosum0x0.blogspot.sk/2017/07/threadcontinue-reflective-injection.html

InfoSec Week 24, 2017

Erebus ransomware distributed by the malicious advertisement campaign is using Rig exploit kit to infect Linux servers across the world.
Some companies had to pay already.
https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/erebus-linux-ransomware-impact-to-servers-and-countermeasures

FireEye published anatomy of a cyber extortion scheme executed by FIN10 group. They infiltrate company networks, steal valuable data, then attempt to extort executives and board members of a company.
https://www.hackread.com/wp-content/uploads/2017/06/fin10-cyber-extortionist-canadian-mining-firms-casinos-to-ransom.pdf
https://www.fireeye.com/blog/threat-research/2017/06/fin10-anatomy-of-a-cyber-extortion-operation.html

Researchers changed e-cigarette USB compatible charger for a keyboard emulator, so it can issue commands when connected to the PC.
http://news.sky.com/story/e-cigarettes-can-be-used-to-hack-computers-10908333

Wired has published an article about the malware behind the Ukraine power grid blackout.
https://www.wired.com/story/crash-override-malware/

A lottery computer programmer designed his code so that on three days of the year, he could predict winning numbers in some games.
https://www.bloomberg.com/news/articles/2017-06-12/programmer-pleads-guilty-to-theft-in-lottery-rigging-scandal

Part of the Wikileaks Vault 7 release, Cherry Blossom, exposes CIA wireless hacking toolkit.
https://wikileaks.org/vault7/#Cherry Blossom

Cisco Talos has published BASS - Automated Signature Synthesizer for malware detection.
https://github.com/Cisco-Talos/bass

Some (AVG, Avast, Avira, CheckPoint, K7) antivirus software‘s kernel vulnerabilities found by the bee13oy security researcher.
https://github.com/bee13oy/AV_Kernel_Vulns

InfoSec Week 11, 2017

MalwareMustDie analyzed new APT Campaign with the Poison Ivy RAT payload. Malware is using obfuscated VBScript, Power Shell to finally drop well known RAT.
"The concept of infection is fileless, it's avoiding known signature for detection by multiple encodings and wraps, and it is also 100% avoiding the original attacker's working territory."
http://blog.0day.jp/p/english-report-of-fhappi-freehosting.html

Fake Chrome browser app named "Betaling - Google Chrome.exe" is spreading, mainly in the Netherlands. The application mimics basic browser functionality in order to steal user credit card information.
https://www.bleepingcomputer.com/news/security/credit-card-stealer-disguises-as-google-chrome-browser/

Conspiracy theory is circulating around the car crash and the death of a journalist Michael Hastings. According to the San Diego 6 News, Hastings had been investigating CIA Director John Brennan. He had also contacted WikiLeaks lawyer Jennifer Robinson just a few hours before he died, confirming that feds investigating his work. Was his vehicle remotely hijacked?
http://securityaffairs.co/wordpress/57094/intelligence/michael-hastings-crash-cia.html

Trend Micro has uncovered the MajikPOS, new point-of-sale (PoS) malware with RAT functionality. MajikPOS targets mainly businesses in the North America and Canada. It's spreading via poorly secured VNC, RDP protocols.
http://blog.trendmicro.com/trendlabs-security-intelligence/majikpos-combines-pos-malware-and-rats/

Avast malware researcher Jakub Kroustek discovered the Kirk Ransomware - new Star Trek themed ransomware written in Python, probably the first one which uses Monero as the ransom payment of choice.
https://www.bleepingcomputer.com/news/security/star-trek-themed-kirk-ransomware-brings-us-monero-and-a-spock-decryptor/

Researchers at the Pwn2Own competition exploited Microsoft Edge browser in a way that escapes a VMware Workstation virtual machine it runs on. Three different exploits in a row.
https://arstechnica.com/security/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/

Very interesting article about the history of US information warfare.
"The United States was birthed in a stew of information, misinformation, disinformation, and propaganda projected by competing entities both internally and externally. Thus, instead of looking at the apparent success of Russian intelligence in the recent election as the perfected form of information warfare, it is worth considering colonial and revolutionary America to appreciate the historical precedent and perspective"
http://thestrategybridge.org/the-bridge/2017/3/8/information-warfare-isnt-russian-its-american-as-apple-pie

Intel Security has released a CHIPSEC security framework able to evaluate whether the system firmware is modified.
Intel also launched its first-ever bug bounty program.
https://github.com/chipsec/chipsec
https://www.hackerone.com/blog/Intel-launches-its-first-bug-bounty-program